Title: JUNOS kernel cores when it receives an crafted TCP option.
Products Affected: All JUNOS Devices
Platforms Affected: JUNOS 8.x
Security
JUNOS 9.x
JUNOS 7.x
SIRT Security Advisory

Revision Number 2
Issue Date 2010-01-06

PSN Issue : The JUNOS kernel will crash (i.e. core) when a specifically
crafted TCP option is received on a listening TCP port. The packet cannot
be filtered with JUNOS's firewall filter. A router receiving this specific
TCP packet will crash and reboot.

This issue was encountered via vendor interoperability configurations on a
live network through normal network operations. Further internal
investigation determined the underlying vulnerability and exploit.

Solution: Customers are recommended to upgrade JUNOS through planned and
methodical upgrade processes.

All JUNOS software releases built on or after January 28, 2009 have fixed
this specific issue. This specifically includes 8.1S2, 8.5-20090227-SR,
9.0-20090612-SR, 9.1R4, 9.2-20090130-SR, 9.2R4, , 9.3-20090227-SR,
9.3-20090212-SR, 9.3R3, 9.4R1, and all subsequent releases.

PR Reference for this issue is PR 410970

There are no totally effective workarounds for this specifically crafted
TCP packet. Risk can be minimized by using best common practices (BCPs)
which limit TCP packets which are destined to the JUNOS device. The crafted
TCP packet is spoofable, requiring IETF BCP 38 "anti-spoofing" techniques
to prevent a spoofed packet from entering a network.

Note: If IETF BCP 38 style anti-spoofing is not feasible for all traffic,
focus on anti-spoofing for the IP addresses used for the control plane,
management plane, and link addresses. Packets transiting the router have no
impact. The packet must be destined for an interface on the router which is
listening to TCP.

Risk Level Critical
Risk Assessment  CVSS Base Score of 7.8. (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Created Date  2010-01-05 16:25:12.0
Last Modified Date  2010-01-06 17:14:32.0